Fix for CVE-2017-14860

A heap buffer overflow could occur in memcpy when icc.size_ is larger than data.size_ - pad, as then memcpy would read out of bounds of data. This commit adds a sanity check to iccLength (= icc.size_): if it is larger than data.size_ - pad (i.e. an overflow would be caused) an exception is thrown. This fixes #71.
2017-10-06 23:09:08 +02:00 · 2017-10-06 23:09:08 +02:00 · ff18fec24b
commit ff18fec24b
parent 65f45a3505
1 changed files with 7 additions and 2 deletions
--- a/src/jp2image.cpp
+++ b/src/jp2image.cpp
@ -269,10 +269,15 @@ namespace Exiv2
                            std::cout << "Exiv2::Jp2Image::readMetadata: "
                                     << "Color data found" << std::endl;
 #endif
-                            long pad = 3 ; // 3 padding bytes 2 0 0
+                            const long pad = 3 ; // 3 padding bytes 2 0 0
                            DataBuf data(subBox.length+8);
                            io_->read(data.pData_,data.size_);
-                            long    iccLength = getULong(data.pData_+pad, bigEndian);
+                            const long    iccLength = getULong(data.pData_+pad, bigEndian);
+                            // subtracting pad from data.size_ is safe:
+                            // size_ is at least 8 and pad = 3
+                            if (iccLength > data.size_ - pad) {
+                                throw Error(58);
+			    }
                            DataBuf icc(iccLength);
                            ::memcpy(icc.pData_,data.pData_+pad,icc.size_);
 #ifdef DEBUG